Okta’s Investigation of the January 2022 Compromise
On March 21, 2022, nearly 24 hours up to now, replacement screenshots were published on-line that were taken from a laptop broken-down by one amongst Okta’s third-party buyer improve engineers. The sharing of these screenshots is embarrassing for myself and your total Okta crew.
In this put up, I want to bear a timeline and my perspective on what has transpired, and the assign we are on the present time with this investigation. I’m hoping that this can illuminate why I’m assured in our conclusions that the Okta service has no longer been breached and there are no longer any corrective actions that could per chance also simply mute be taken by our customers.
By formulation of background, handle many SaaS suppliers, Okta uses diverse corporations (“sub-processors”) to amplify our crew. These entities relief us to utter for our customers and bear them reliable with our merchandise. Sitel, thru its acquisition of Sykes, is an Okta sub-processor that affords Okta with contract workers for our Buyer Make stronger group.
On January 20, 2022, the Okta Security crew used to be alerted that a recent MFA ingredient had tried to be added to a Sitel buyer improve engineer’s Okta fable. Even though that person strive used to be unsuccessful, out of an abundance of caution, we reset the fable and notified Sitel who engaged a main forensic firm to label an investigation.
The next timeline outlines the major milestones:
Timeline (times in UTC)
- January 20, 2022, 23: 18 – Okta Security received an alert that a recent MFA ingredient used to be added to a Sitel worker’s Okta fable from a recent assign of abode.
- January 20, 2022, at 23: 46 – Okta Security investigated the alert and escalated it to a security incident.
- January 21, 2022, at 00: 18 – The Okta Provider Desk used to be added to the incident to support with containing the actual person’s fable.
- January 21, 2022, at 00: 28 – The Okta Provider Desk terminated the actual person’s Okta classes and suspended the fable till the root reason for suspicious assignment could per chance be acknowledged and remediated.
- January 21, 2022, at 18: 00 – Okta Security shared indicators of compromise with Sitel. Sitel suggested us that they retained originate air improve from a main forensic firm.
- January 21, 2022 to March 10, 2022 – The forensic firm’s investigation and diagnosis of the incident used to be conducted till February 28, 2022, with its file to Sitel dated March 10, 2022.
- March 17, 2022 – Okta received a summary file in regards to the incident from Sitel
- March 22, 2022, at 03: 30 – Screenshots shared on-line by LAPSUS$
- March 22, 2022, at 05: 00 – Okta Security obvious that the screenshots were associated to the January incident at Sitel
- March 22, 2022, at 12: 27 – Okta received the total investigation file from Sitel
I’m tremendously dissatisfied by the long interval of time that transpired between our notification to Sitel and the issuance of the total investigation file. Upon reflection, after we received the Sitel summary file we’re going to need to have moved more without warning to be aware its implications.
Our investigation obvious that the screenshots, which were no longer contained in the Sitel summary file, were taken from a Sitel improve engineer’s laptop upon which an attacker had received faraway procure admission to the utilization of RDP. This tool used to be owned and managed by Sitel. The scenario right here is corresponding to walking away out of your laptop at a espresso shop, whereby a stranger has (nearly on this case) sat down at your machine and is the utilization of the mouse and keyboard. So whereas the attacker by no formulation won procure admission to to the Okta service by fable takeover, a machine that used to be logged into Okta used to be compromised and so they were able to bear screenshots and withhold an eye on the machine thru the RDP session.
It’s vital to be aware that the procure admission to that a improve engineer has is itsy-bitsy to general tasks in handling inbound improve queries. Make stronger engineers utilize replacement buyer improve tools to procure their job done in conjunction with Okta’s instances of Jira, Slack, Splunk, RingCentral, and improve tickets thru Salesforce. The massive majority of improve engineering tasks are performed the utilization of an internally-constructed software known as SuperUser or SU for brief, which is broken-all the arrangement in which down to label general administration functions of Okta buyer tenants. This does no longer provide “god-handle procure admission to” to all its customers. Here’s an software constructed with least privilege in thoughts to verify that that improve engineers are granted finest the divulge procure admission to they require to label their roles. They are unable to procure or delete customers. They are able to no longer download buyer databases. They are able to no longer procure admission to our source code repositories.
The file from the forensic firm highlighted that there used to be a 5-day window of time between January 16-21, 2022 when the threat actor had procure admission to to the Sitel ambiance, which we validated with our hold diagnosis.
In attempting to scope the blast radius for this incident, our crew assumed the worst case scenario and examined all the procure admission to performed by all Sitel staff to the SuperUser software for the 5-day interval in quiz. Over the last 24 hours now we have analyzed more than 125,000 log entries to take a look at what actions were performed by Sitel all the arrangement in which thru the relevant interval. Now we have obvious that essentially the most doable impact is 366 (approximately 2.5% of) customers whose Okta tenant used to be accessed by Sitel.
Thanks to the procure admission to that the improve engineers had, the info and the actions were constrained. While it’s no longer any longer a prime step for customers, we absolutely query they could per chance per chance want to total their hold diagnosis. For transparency, these customers will receive a file that reveals the actions performed on their Okta tenant by Sitel all the arrangement in which thru that interval of time. We specialise in right here’s the finest formulation to let customers assess the convey for themselves.
As with any security incidents there are plenty of opportunities for us to toughen our processes and our communications. I’m assured that we are spellbinding in the reliable route and this incident will finest relief to beef up our commitment to security.